Neither Rain Nor Snow Nor Security Popups

Question: Our company has overseas customers who won't
pay until they get an invoice. Naturally, our company wants payment as
soon as possible. FedEx costs $45. So we decided to send a .PDF file of
the invoice in an e-mail attachment. Our office runs Windows 2003 and
Exchange 2003. The Outlook clients are Outlook 2000.

MAPI was giving us some issues, so we decided to try VBA on Outlook.
We got it to run, but we receive a Windows message from Outlook requesting
our permission to allow the application to access Outlook. A nice security
feature to be sure, but it's driving the ladies in production control
nuts. Any suggestions?— Tim

Get
Help from Bill

Got a Windows or Exchange question or need troubleshooting
help? Or maybe you want a better explanation than provided
in the manuals? Describe your dilemma in an e-mail
to Bill at mailto:boswell@101com.com;
the best questions get answered in this column.

When you send your questions, please include your
full first and last name, location, certifications (if
any) with your message. (If you prefer to remain anonymous,
specify this in your message but submit the requested
information for verification purposes.)

Answer: The Office Resource Kit has a security management
tool, the Outlook E-mail Security Administrator Package, that's designed
to handle problems like the one you're having. The tool has an overview
discussion in KB 290499, "INF: How to Configure SQL Mail" http://support.microsoft.com/view/tn.asp?kb=263556.

To extract the Security Administrator Package, first install ORK on a
desktop or server. In the files it installs, find the admpack.exe file.
It should be in C:\Program Files\ORKTOOLS\ORK11\TOOLS\Outlook Administrator
Pack (ORK10 for Outlook 2000).

When you run admpack.exe, it deposits four files in the folder of your
choice. They are:

comdlg32.ocx

hashctl.dll

Outlook

Security.oft

readme.doc

The readme.doc will tell you to copy hashctl.dll to the %windir%\system32
directory then register it: regsvr32 hashctl.dll

The readme.doc also tells you to do the same for comdlg32.ocx. Hold on,
though. If you're running XP on the desktop, don't copy comdlg32.ocx to
the %windir%\system32 directory. The version of comdlg32.ocx in XP works
just fine.

Now, on the machine where you installed the ORK, take a look at the %windir%\inf
folder. You should see a new set of ADM template files that represent
Group Policy settings for Office. The Outlook ADM file, OUTLK10.ADM, contains
a policy setting called "Outlook Virus Security Settings." This
policy setting results in a Registry entry that the Readme.doc for the
security management tool discusses:

HKCU\Software\Policies\Microsoft\Security\CheckAdminSettings

By using a GPO to apply this setting, you won't have to push out any
Registry hacks. To use the ADM template:

Create a new Group Policy Object called ORK (you can call it anything
you like) and link the GPO to the OU that contains your Outlook users.

Right-click the Administrative Templates object under User Configuration
and select Load Templates from the flyout menu.

Enable this policy and check the option to Apply Individual Settings
for Outlook Virus Security.

To make this setting take effect immediately on an XP desktop, use this
command: gpupdate /force (The /force switch
isn't strictly required, but I
like the sound of it.) On a Windows 2000 desktop, use this command:

secedit /refreshpolicy user_policy /enforce

Okay, so now you're ready to apply the security setting:

Create a public folder in the Exchange public folder tree and call
it Outlook Security Settings. This is the required name.

At a client desktop that has Outlook installed, log in using an account
with Exchange administrator privileges.

Launch Outlook then double-click the OutlookSecurity.oft file.

Before the form (defined by the oft file) launches, you'll be prompted
to select a folder. Use the tree control to select the Outlook Security
Settings folder in the public folder tree.

The Outlook Security form is fairly complex because it deals with programmatic
forms and things like that. If you only want to send a message
without getting the popup warning, do this:

Select the Programmatic Settings tab.

On the line that starts, When Sending Items Via Outlook Object Model,
click the radio button under Automatically Approve.

Click Post to post the settings to the Outlook Security Settings
public folder.

Close Outlook.

Now, log on as an average user at the desktop where you will be running
your script to send the .PDF files. Run your script and see if it works
without prompting the user.

Hope this helps!

XP
SP2 Deployments: What You've Said

I got a few replies to my request for feedback on
XP SP2 deployments in my column from last
week. Here's one from Kathel:

My company has elected to hold off installing XP SP2.
I wish my relatives had, as well. I've had three relatives
call me in a panic asking for help because of various
issues with the service pack. The first relative called
after he installed the service pack and found he was
no longer able to uninstall programs through add/remove
programs. The change/remove buttons disappeared.

The second called after her computer began spontaneously
rebooting within seconds of logging in. This one was
difficult because, as we all know, relatives rarely
give you a complete picture of what that they do to
their computers. It took several torture sessions before
she 'fessed up to allowing the XP SP2 update to run.
Relative three had intermittent loss of video, mouse,
and keyboard functionality.

All three were back in business after I removed XP
SP2, but I wonder how other, non-computer-literate home
users are faring who don't have the luxury of free support.
The removal process can be complex for the uninitiated.

Dewayne contributed this information:

I struggled with disabling the Domain profile of Windows
Firewall by default when installing SP2 for the first
time. I found some TechNet articles on it, but they
all indicated I needed to deploy SP2 with a RunOnce
reg entry and auto-logon by an admin after install to
make the run-once settings take effect. What a pain.

Instead, I installed SP2 in batch mode, then copied
in our custom netfw.inf file, overwriting the one SP2
delivered. Then, just before the reboot, the batch script
runs NETSH FIREWALL RESET to
apply the settings in the custom netfw.inf. I wasn't
sure if applying the settings before the reboot would
carry the settings through, since the system is still,
in reality, SP1 until the reboot happens — but
it does work! So, now we can deploy SP2 in our enterprise
without worrying about Windows Firewall breaking apps
by being enabled by default for the domain profile.

Also, regarding firewall profiles, this is really slick!
The domain profile is set to disable the firewall, but
as soon as you plug into a private network (i.e. take
your laptop home) the firewall is enabled. Or, if you
join a workgroup it is enabled, then when joining the
domain again, it's disabled. MS was really thinking
on that one. Here's the Firewall guide that has instructions
for building a custom .INF file for the firewall settings:

And finally, Greg had this to say about convincing
small business owners to pay for deploying SP2 in their
networks:

We have been proactively managing LANs — and that
includes deploying software upgrades and SP's via group
policy — since 2001. We know that takes 2.5 hours
to download, extract, create the policy and test the
SP install on 3-4 workstations. If you contrast that
with the standard the cost of individually getting
your mitts on a keyboard for the same amount of time
times each PC, then no problem. If you are a good field
engineer/tech and do the " justification "
(Mr. Customer, I can do this via Group Policy in about
2.5 hours + say 2 hours for follow up once or,
I can hit each PC for three-fourth of an hour of billable
time per PC times number of PCs), then it is a no-brainier.

If you know your customer, then you should be able
to say something akin to: "If we do not do this,
then please consider this Mr. CFO/CIO/CEO; Joe Sales
guy and his laptop goes into the world, misses an update
or virus update, gets a worm, comes back and floods
the LAN and you are down for three hours. Since you
have 25 employees and your billable productivity = $2,300
per hour (for all billable productivity use this: (billable
actions) - (cost actions) = (billable productivity rate))
then missing the update equals $6,900 in lost income
plus our time to fix it."

But that's just business 101 right?

Do you have good information to help other admins
through the SP2 deployment? Be sure to write me at mailto:boswell@mcpmag.com.